A new backdoor created by the Iron attack group has infected at least 2,000 victims so far, researchers said.
The backdoor source code comes from the Hacking Team’s Remote Control System (RCS), said Omri Ben Bassat, a researcher at security firm Intezer.
HackingTeam is a Milan, Italy-based information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.
The Iron group, which created the Iron ransomware, has been active for around 18 months.
“During the past year and a half, the Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms,” Bassat said in a post. “They have used their malware to successfully infect, at least, a few thousand victims.”
Bassat first found the backdoor in April. It features an installer protected with VMProtect and compressed using UPX.
During installation, it checks if it runs in a virtual machine, drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor in the Temp folder, then checks OS version and launches the backdoor based on the platform iteration, the researcher said.
The malware also checks if Qhioo360 products are present on the systems and only proceeds if none is found. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.
Part of the backdoor’s code is based on HackingTeam’s leaked RCS source code, Bassat said.
There was a virtual machine detection code taken directly from HackingTeam’s “Soldier” implant (which targets Cuckoo Sandbox, VMware products, and Oracle’s VirtualBox) and the DynamicCall module from HackingTeam’s “core” library.
The malicious Chrome extension dropped by the malware is a patched version of Adblock Plus, which injects an in-browser crypto-mining module (based on CryptoNoter) and an in-browser payment hijacking module.
The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.
If Qhioo360 Safe Guard or Internet Security are found on the system, the malware runs once, without persistence. Otherwise, it installs the a rogue, hardcoded root CA certificate to make the backdoor binary seem legitimate.
The malware would decrypt a shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin paste address.
Two different payloads were dropped by the malware, namely Xagent, a variant of “JbossMiner Mining Worm,” and the Iron ransomware, which just started.
In terms of its victims, “it is hard to define for sure, but to our knowledge, the total of the attacker’s pastes received around 14K views, about 11K for dropped payload URL and about 2k for the Android miner paste,” Bassat said. “Based on that, we estimate that the group has successfully infected, a few thousands victims.”
Bassat said they suspect the person or persons behind the group are Chinese, due in part to:
• There were several leftover comments in the plugin in Chinese
• Root CA Certificate password was in Mandarin
He also said the victims are in China, because:
• Searches for wallet file names in Chinese on victims’ workstations
• The malware won’t install persistence if Qhioo360 (popular Chinese AV) is found